Tracking cookies are caught between two forces: browsers that actively restrict them and regulators that demand consent before you set them. If you run any form of analytics or advertising measurement, both forces affect the quality of your data right now.
This guide covers how each major browser treats cookies in 2026, how server-side cookie setting bypasses the most damaging restrictions, what EU and US privacy laws actually require from your implementation, and how consent management platforms connect all of it together. Whether you’re evaluating a move to server-side GTM or trying to understand why your attribution numbers keep shrinking, this is the technical and regulatory context you need.
How browsers restrict cookies in 2026
The gap between what your tracking code sets and what the browser actually preserves has never been wider. Each browser applies its own set of restrictions, and the combined effect hits about 20-25% of all website visitors.
Safari ITP: the strictest restrictions
Safari’s Intelligent Tracking Prevention hits hardest. Cookies set via JavaScript (document.cookie) are capped at 7 days. When users arrive through a link with tracking parameters like gclid or fbclid, that cap drops to 24 hours. After 30 days of inactivity, Safari purges all site data entirely.
Since Safari 16.4, ITP also checks IP addresses on server-set cookies. If your tracking subdomain (say gtm.yourdomain.com) resolves to a different IP range than your main site, Safari treats those cookies as third-party and caps them at 7 days too. Safari 17 went further with Advanced Tracking Protection, which can block GTM and GA CDN domains outright, and Link Tracking Protection, which strips gclid and fbclid parameters from URLs before your code can read them.
The mobile impact compounds this. Every iOS browser, including Chrome and Firefox on iPhone, runs on Safari’s WebKit engine. ITP restrictions apply to roughly 27% of mobile traffic regardless of which browser icon the user tapped.
Firefox and Chrome: different philosophies, same trend
Firefox’s Total Cookie Protection takes a partitioning approach. Third-party cookies can still be set, but each top-level site gets its own isolated “cookie jar.” A cookie set by tracker.example.com on site-a.com is invisible when the user visits site-b.com. Bounce Tracking Protection in Strict mode detects and clears data from redirect-based trackers. Unlike Safari, Firefox doesn’t restrict first-party cookie lifetimes.
Chrome keeps third-party cookies enabled by default after the Privacy Sandbox collapse. Google’s decision not to deprecate them means Chrome’s ~67% global market share still allows traditional tracking. The SameSite=Lax default is the main restriction: cookies only travel with top-level navigations, not embedded cross-site requests. But Chrome’s permissiveness is the exception, not the direction of the industry.
What this means for your data
Between Safari’s strict caps, Firefox’s partitioning, and ad blockers (used by 31.5% of global internet users), client-side tracking misses 20-40% of attribution data. For campaigns targeting mobile or younger demographics, the loss is even higher. This is the core reason server-side tracking became non-negotiable.
Server-side cookies bypass ITP
The technical fix for Safari’s JavaScript cookie restrictions is straightforward in concept: set cookies from the server instead.
When GTM Server-Side processes a request, the GA4 Client can respond with an HTTP Set-Cookie header. This creates the FPID cookie (First Party Identifier), flagged as HttpOnly. Safari’s 7-day cap targets JavaScript-set cookies specifically. HTTP-set cookies from a same-domain server are treated as legitimate first-party cookies with their full intended lifetime, typically 90-400 days.
The HttpOnly flag adds a second benefit: the cookie is invisible to browser JavaScript, which reduces XSS attack surface and avoids triggering ITP’s client-side cookie detection heuristics.
The IP address problem
There’s a catch. Since Safari 16.4, ITP also compares the IP address of the server setting the cookie against the IP of the main website. A standard Cloud Run deployment with a CNAME puts your tracking server on Google’s IP range while your website sits on your hosting provider’s IPs. Safari sees the mismatch and applies the 7-day cap anyway.
Three approaches solve this:
First Party Mode (FPM) is Google’s answer, still in beta as of early 2026. It routes tracking through infrastructure that shares the same IP context as your main domain.
Reverse proxy setups route both your website and tracking subdomain through the same infrastructure. If both domains sit behind the same Cloudflare proxy, for example, the IPs match and Safari treats cookies as genuinely first-party.
Stape’s Cookie Keeper takes a different approach: it regularly refreshes cookies that Safari would expire, extending lifetimes to 90 days or 13 months without requiring IP matching.
How much data do you actually recover?
Recovery depends on your audience mix. Sites with high mobile traffic or younger demographics (where Safari share is highest) recover 25-35% of lost signals. Mixed desktop/mobile sites recover 15-25%. B2B sites with desktop-heavy traffic recover 10-15%. First-party CNAME tracking captures 95%+ of sessions, compared to 60-70% with third-party scripts.
EU consent rules: two frameworks, one outcome
Cookie consent in the EU operates under two overlapping legal frameworks, and both point to the same practical requirement: you need explicit permission before setting non-essential cookies.
The ePrivacy Directive covers the act of storing or accessing information on a user’s device. It requires prior consent for any non-essential cookie, regardless of whether the data qualifies as personal. The European Commission formally withdrew the proposed ePrivacy Regulation in February 2025, so the existing Directive remains the governing framework.
GDPR applies whenever cookies involve personal data (which analytics cookies almost always do). It sets the bar for what valid consent looks like: freely given (no cookie walls that block content), specific (granular per-purpose), informed (clear descriptions of what each cookie does), and unambiguous (an active choice, not a pre-ticked box or continued browsing).
In practice, analytics cookies require explicit prior consent under current EDPB and DPA interpretations. Legitimate interest doesn’t justify non-essential cookies. Only strictly necessary cookies (session management, load balancing, security tokens, language preferences) are exempt.
The EDPB’s Guidelines 2/2023, finalized October 2024, extended ePrivacy scope beyond cookies to tracking pixels, tracking links, device fingerprinting, and IoT reporting. CNIL’s June 2025 draft recommendations now require separate consent for tracking pixels in emails, distinct from email marketing consent itself.
GDPR enforcement keeps accelerating. Cumulative fines have reached €6.7 billion across 2,679 actions, with 2025 alone accounting for €2.3 billion (a 38% year-over-year increase).
US privacy: the opt-out patchwork
The US model works in the opposite direction. Data collection proceeds by default; consumers must be given the ability to opt out. Twenty states now have comprehensive privacy laws, with Indiana, Kentucky, and Rhode Island taking effect January 1, 2026.
California’s CCPA/CPRA leads with the broadest requirements. The “Do Not Sell or Share” obligation covers cross-context behavioral advertising. New 2026 regulations add mandatory opt-out confirmation with visible status indicators, expanded dark pattern prohibitions (an asymmetric button layout or closing a popup can’t equal consent), risk assessments before high-risk processing, and executive attestation requirements under penalty of perjury.
GPC is no longer optional
Global Privacy Control (GPC) recognition is mandatory in at least 8 states: California, Colorado, Connecticut, Oregon, Texas, Montana, Delaware, and Nebraska. A joint investigative sweep by California, Colorado, and Connecticut targeting non-compliance has produced seven-figure settlements. Texas pursued its first action targeting foreign data access through Allstate/Arity for collecting data on 45 million Americans.
For analytics implementations, this means your site must detect the GPC browser signal and treat it as a valid opt-out request. Ignoring it isn’t a grey area anymore.
The operational challenge
This regulatory divergence (EU opt-in vs. US opt-out, with state-by-state variations) creates real operational complexity. Server-side architectures handle this more cleanly than client-side scripts because consent logic can be centralized and enforced at the server layer. One control point, applied consistently across all vendor endpoints, beats scattered JavaScript snippets that may or may not respect consent depending on load order and ad blocker behavior.
Connecting consent to your server-side tags
Consent Management Platforms bridge the gap between user choices and tag behavior. The signal chain works like this: the CMP captures consent choices client-side, passes those signals to the server container through DataLayer variables and HTTP parameters (including the Google Consent Mode v2 API), and the server container reads consent state before deciding which tags to fire.
From a compliance perspective, server-side tracking gives you a single enforcement point. Instead of relying on each client-side tag to independently check consent state, you enforce it once at the server layer. A tag can’t fire if the server never sends the request.
Choosing a CMP
Key CMPs in the Google ecosystem include Usercentrics/Cookiebot, OneTrust, Didomi, CookieYes, Axeptio, and Ketch. Google requires publishers using AdSense, Ad Manager, or AdMob to use a certified CMP with TCF v2.2 integration for personalized ads in EEA/UK. Certification comes in Gold, Silver, and Bronze tiers.
When evaluating options, prioritize: Google CMP certification, native Consent Mode v2 integration, multi-jurisdiction support (EU opt-in plus US opt-out in one platform), GPC signal recognition, and sub-500ms latency impact on Core Web Vitals.
Identity resolution beyond cookies
Even with server-side cookies extending lifetimes, cookies alone don’t solve cross-device tracking or attribution after users clear their browser data. Several identity resolution approaches fill this gap.
Google Enhanced Conversions captures first-party data at conversion points (email, phone, name, address), hashes it with SHA-256, and sends it alongside conversion tags. Google matches against signed-in accounts to attribute conversions even when cookies have been deleted. Advertisers report 5-25% conversion uplift, with the best results when more than half of conversions include enhanced data.
Unified ID 2.0 (UID2), created by The Trade Desk, uses encrypted email addresses with explicit user consent. Its European variant EUID is designed for GDPR/TCF compliance. Adoption spans major SSPs including Index Exchange, Magnite, PubMatic, and OpenX.
Data clean rooms are becoming standard infrastructure for privacy-safe data collaboration. Platform-specific options include Google Ads Data Hub, Meta Advanced Analytics, and Amazon Marketing Cloud. Cloud-native options like Snowflake, AWS Clean Rooms, and BigQuery support multi-party collaboration with privacy controls built in.
These approaches complement server-side tracking rather than replacing it. Enhanced Conversions, for instance, works best when delivered through a server-side GTM tag that can enrich the data before forwarding it to Google.
Making it work together
The pieces of this puzzle (browser restrictions, server-side cookies, consent frameworks, identity resolution) aren’t independent. They form a stack, and gaps in any layer undermine the others.
Server-side cookies solve the browser restriction problem but create compliance obligations. Consent management satisfies regulators but reduces your data volume. Identity resolution recovers some of that lost volume, but only works with proper consent and server-side infrastructure to deliver the signals.
For most sites, the highest-impact combination is a server-side GTM container on a properly configured custom domain, a certified CMP with Consent Mode v2, and Enhanced Conversions on key conversion events. That covers the most common data loss scenarios while satisfying both EU and US privacy requirements.
Beyond that baseline, your audience mix determines priorities. High Safari traffic makes IP matching worth solving. A significant EEA audience means your hosting should sit in EU regions. Heavy Meta campaign spend warrants CAPI with proper event deduplication. Each layer becomes easier to add when the server-side infrastructure already exists.